Scratch has suffered repeated SVG sanitization vulnerabilities (2019–2026) that allow XSS attacks and HTTP leaks, enabling attackers to compromise accounts or log IP addresses of users opening malicious projects. Each fix—from regex filtering to DOMPurify to CSS parsing—has been bypassed within months or years. The author argues Scratch's layered sanitization approach is fundamentally doomed because parsing and injecting untrusted SVG into the DOM cannot be made safe through filtering alone.
Safety
The Woes of Sanitizing SVGs
Scratch's seven-year cycle of SVG sanitization bypasses (2019–2026) proves that filter-based defenses cannot secure untrusted content injected into the DOM, enabling XSS and account compromise.
Monday, April 27, 2026 12:00 PM UTC2 MIN READSOURCE: Hacker NewsBY sys://pipeline
Tags
safety